How I found and removed a WordPress hack

How I found and removed a WordPress hack

[lbmn_commentscount]

Check the logsYesterday, a WordPress server that I look after for a friend had been broken into. Instead of trashing the site, the script-kiddy hooked the server into a spam bot-net, and proceeded to send thousands of emails from the host. In addition, the script-kiddy added in some extra ‘hidden’ content onto the server, and then got Google to scan for that content. In essence, the server was still serving `working’ but was also being used for other purposes.

One of the things that my first UNIX instructor, Harry Eleftheriou, showed me was the power of ‘pipes’. Pipelining commands together was THE way to use simple yet finely crafted programs to make life easier. Today, that came to the fore.

I wanted to find all successful requests (HTTP Response 200) from the logs. From that I wanted to extract the script names (the 7th field in the log entry) that were being executed, and find which scripts were being called most regularly. The command that I came up with looked like the following:

# grep " 200 " http_access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -7
 1063 /wp-includes/js/swfupload/general.php
  666 /wp-login.php
  184 /wp-admin/admin-ajax.php
  179 /favicon.ico
   84 /wp-includes/Text/stats.php
   78 /
   39 /robots.txt

That command quickly highlighted what scripts were being run. And a few of them didn’t look right; a quick look at those files told me that two of them were infected/fake files and could be removed. After running that on all the logfiles, I had found¬†all the infected files. Now, off to install Tripwire

[lbmn_postpagination]

[lbmn_authorbio]

About us and this blog

We are a digital marketing company with a focus on helping our customers achieve great results across several key areas.

Request a free quote

We offer professional SEO services that help websites increase their organic search score drastically in order to compete for the highest rankings even when it comes to highly competitive keywords.

Subscribe to our newsletter!

Is IoT The Next Big Thing?

There's been a lot of discussion about Cloud, be it Hybrid or…
Continue reading
get your head out of your ass

Communication is key

As a customer-focussed IT professional, communication is key to ensuring a happy…
Continue reading

Looking for a photographer?

The website www.photographers.com.au/ came across my feed recently. If you're in Australia…
Continue reading
Vote Flux

The dreaded phone call

Yesterday it happened. Not just once. Twice! I got the dreaded phone…
Continue reading
Vote Flux

A State of Flux

Three days ago, the United Kingdom voted to leave the European Union.…
Continue reading

Martin Place one year on

One year ago today, I was holed up in my office near…
Continue reading

Pride comes before a camera replacement

¬†There's a lot to be said for not trying to over-reach your…
Continue reading

Up a tree

There are old pilots. And there are bold pilots. But there are…
Continue reading
[lbmn_commentscount]
 
%d bloggers like this: